当前位置: 文江博客话题详情

如何保护 CI 中传递给控制器​​的段的安全

发布于 2024-12-29 09:05:47 字数 211 浏览 0 评论 0原文

我正在尝试将一个段传递给控制器​​。 url 类似于 base_url/controller/function/seg1。我想确保,如果用户尝试在地址栏中输入该段,控制器将确保除了我想要传递的段之外没有其他单词可以继续。

例如,如果用户尝试在地址栏中输入base_url/main/function/(将其更改为其他单词),控制器将过滤该段。我不知道该怎么做,如果有人能帮助我,我将不胜感激。

原文

I am trying to pass a segment to a controller. The url is like base_url/controller/function/seg1. I want to ensure that if the user try to enter the segment in the address bar, the controller would make sure there are not other words to be proceeded except the segment I want to pass.

For example, If the user tries to type base_url/main/function/(change this to other words) in address bar, the controller will filter the segment. I am not sure how to do it and would appreciate if someone can help me out.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

狠疯拽 2025-01-05 09:05:47

好的,因此“保护”此类事件的最佳方法是在用户登录您的站点时简单地创建一个会话,并在该会话中存储两个值;

1) 他们的数据库主键 ID,以及
2) 一个名为“logged_in”的会话项

当您的用户登录您的网站时,您将像这样存储这两个值;

$this->session->set_userdata('logged_in', true);
$this->session->set_userdata('user_id', $id);

其中 $id 在身份验证期间从用户记录中提取。

现在您已经有了这些内容,下一部分就是在您的控制器中放置一个 if 语句来检查用户是否已登录;

function show($id) {
  if($this->session->userdata('logged_in')) {
    $posts = $this->Model_posts->get_user_posts($id);
  }
}

现在,在您的模型中,您将创建一个函数来提取您希望用户能够根据其 user_id 查看的记录。例如,我们会说用户帖子。

function get_user_posts($user_id, $post_id) {
   $sql = "SELECT * FROM posts WHERE user_id = ? AND id = ?";
   $binds = array($user_id, $post_id);
   $qry = $this->db->query($sql, $binds);
   $result = array();

   while($row = $qry->result_array()) {
     array_push($result, $row);
   }
   return $result;
}

现在,当登录的用户或访问者尝试访问不属于他们的记录时,他们将不会检索任何记录,因为 select 语句限制仅返回给该用户的内容。

Okay, so the best way to "secure" against such things would be to simply create a session at the time the user logs into your site with two values stored in that session;

1) Their database primary key id, and
2) a session item called 'logged_in'

At the time that your user would log into your site, you would store those two values like this;

$this->session->set_userdata('logged_in', true);
$this->session->set_userdata('user_id', $id);

Where $id is pulled from their user record during authentication.

Now that you have those in there, the next part would be that, in your controller, you would put an if statement in that checks if the user is logged in, as such;

function show($id) {
  if($this->session->userdata('logged_in')) {
    $posts = $this->Model_posts->get_user_posts($id);
  }
}

Now, in your model, you would create a function for pulling the record that you want the user to be able to view based on their user_id. We'll say user posts for example.

function get_user_posts($user_id, $post_id) {
   $sql = "SELECT * FROM posts WHERE user_id = ? AND id = ?";
   $binds = array($user_id, $post_id);
   $qry = $this->db->query($sql, $binds);
   $result = array();

   while($row = $qry->result_array()) {
     array_push($result, $row);
   }
   return $result;
}

Now, when a logged in user or visitor tries to access records that don't belong to them, they will not retrieve any records because the select statement limits what's returned only to that user.

回复 原文
花间憩 2025-01-05 09:05:47

你的结构是这样的

base_url/controller/action

,所以,你的控制器已经“过滤”掉了它,因为如果你的控制器中没有方法/函数(方法=操作),那么你的控制器将触发 404 Page Not Found 错误。当然,您可以按照您认为合适的方式处理错误,但从您提供的内容来看,您希望过滤的项目称为控制器操作。

举例来说;

http://www.base_url.com/users/add

表示您希望调用用户控制器中的 add(函数)。

如果您想向添加操作传递一个参数,那么您可以这样做:

http://www.base_url.com/users/show/1

其中 show 是一个控制器操作,1 是您希望显示的用户的 ID。
我知道我似乎正在对 MVC 方法进行基本介绍,但正如我所说,您展示的结构就像我所描述的那样。

希望这有帮助。

The structure you have there is

base_url/controller/action

So, your controller is already "filtering" it out because if you don't have a method/function in the controller (methods = actions) then your controller will trigger a 404 Page Not Found error. Of coarse, you could then handle your errors however you see fit, but from what you presented, the item you wish to filter is known as a controller action.

So for instance;

http://www.base_url.com/users/add

denotes that you wish to call the add (function) in the users controller.

If you want to pass the add action an argument, then you would do this as;

http://www.base_url.com/users/show/1

Where show would be a controller action and 1 would be the id of the user you wish to show.
I know it seems like I'm giving a basic intro to MVC methodologies, but like I said, the structure you showed plays out like I described.

Hope this helps.

回复 原文
~没有更多了~

关于作者

≈。彩虹

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

檐前雨

文章 0 评论 0

鹿港巷口少年归

文章 0 评论 0

qq_32QL4xcD

文章 0 评论 0

sum_

文章 0 评论 0

DLL

文章 0 评论 0

唐婉

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文